Authentication: How SMEs protect their network and data with 2FA and MFA

Do your employees work from home or on the road at least some of the time? Do web applications or suppliers regularly access your company network? Then you should definitely protect your IT and your data with strong authentication measures such as 2FA or MFA.
Woman sitting at a computer in a warehouse
These topics will be addressed

Password protection is not enough: 2FA and MFA for SMEs

Remote access from outside represents a gap in the security arrangements of many SMEs in Switzerland. An ever-increasing number of employees working from home, freelancers, IT service providers and suppliers are accessing the company network, web applications, business-critical programs and sensitive data. A password alone is no longer enough to securely protect and control access. No matter how good it is. With two-factor authentication (2FA) or multi-factor authentication (MFA), small and medium-sized enterprises can greatly improve the security of their data and systems with comparatively little effort.

Identify or authenticate?

 Each login process can be divided into three steps: 

  1. Log in: The user identifies himself/herself with their username and password and logs in – identification.
  2. Check: The system checks all the user's details and compares them with the entries in the database – authentication.
  3. Authorize: The system releases access if the information is correct and grants the user role-based rights – authorization.

How do 2FA and MFA work?

With two-factor authentication, the user must authenticate themselves with two factors. Usually with their password and another factor. This can be a code, for example, which the system sends to the registered smartphone by text message after the password has been entered correctly. Other factors may include an authenticator app, fingerprint, a USB token, a smart card or a client certificate on their laptop.

With multi-factor authentication, the user must identify themselves with at least two factors according to this principle:

  • Something that only the user knows, for example their personal password
  • Something that only the user possesses, such as their smartphone or USB token
  • Something that only the user embodies, for example their fingerprint (Touch ID) or their face (Face ID)

Regardless of whether access is protected with 2FA or MFA: The system will not allow access until all factors have been correctly authenticated.

The advantages of 2FA and MFA for SMEs

  • Security: 2FA and MFA significantly reduce the risk of unauthorized access and data breaches, as cybercriminals have to pick at least two locks. Even if they find out the password through phishing, they cannot access the system or the data because they do not have the smartphone or fingerprint, for example.
  • Compliance: More and more industries have to comply with strict security standards such as strong authentication measures. Companies that meet these requirements avoid legal consequences and, at the same time, strengthen the trust of customers and partners.
  • Costs: With the introduction of 2FA or MFA for all user accounts, SMEs avoid losses, costly business interruptions, and expensive system and data recovery measures as well as unquantifiable reputational damage that could even jeopardize their existence.

Tips for the introduction of MFA and 2FA in SMEs

The MFA or 2FA rollout must be carefully planned and executed to seamlessly integrate authentication and effectively protect the corporate network. SMEs that have no or too few IT resources are best advised to commission specialists. For example, your IT service supplier for remote access to the company network or your web host or a programmer for access to the online store. It makes sense to protect the following access points with MFA or 2FA:

  • Remote access to sensitive and business-critical company data, such as emails
  •  Access to the intranet via the Virtual Private Network (VPN)
  • Access to web or cloud solutions or applications
  • Access to Infrastructure-as-a-Service (IaaS) and Software-as-a-Service (SaaS) components 
  • Network components and control systems that are connected to the Internet

MFA or 2FA should be implemented for the entire company, not just for employees. This means end-to-end provision for all users: From employees to management, IT staff and administrators through to external employees and service suppliers. Only then will the IT infrastructure and business-critical data be truly secure and protected. In principle, there should be no exceptions and multi-factor authentication should be enforced for all users and remote access. Justified exceptions to this rule should be documented and limited in time. All employees should be trained accordingly during the 2FA/MFA introduction and know how the entry of the second and possibly third factor works and in which situations these factors are queried.

Prevention instead of cure: Risk assessments for SMEs

For SMEs we offer security checks and security assessments that reveal vulnerabilities such as a lack of 2FA or MFA. Such security gaps must be closed immediately: by the SME's security officer, by the IT department or by an external IT service supplier if support is outsourced. Zurich Resilience Solutions carries out 60,000 fee-based risk assessments every year. For SMEs, among others, who want to know how secure their IT infrastructure, business-critical applications and sensitive data are.
Cyber insurance for SMEs
If you are well-prepared, you will be better able to cope with the consequences of a cyberattack or system failure – whether it's a business interruption, data loss or liability claims from customers or partners.
Take out cyber insurance

FAQs on the technical implementation of multi-factor authentication (MFA) for corporate customers/SMEs

Which systems should be protected with 2FA or MFA?

All your company's systems, applications and data connected to the Internet. These include, among others

  • remote connections for accessing the company network such as VPN or Citrix connections,
  • your company's email system,
  • third-party web applications ("software as a service") that your company uses, and
  • network components and control systems accessible via the Internet.

For which users should 2FA or MFA be activated?

For anyone with remote access to your company network, your data and your systems. And preferably without exceptions, because every unprotected user account is vulnerable. Therefore, 2FA or MFA should be set up activated for

  • all employees from all divisions,
  • the entire company management and all management functions,
  • all IT employees and IT administrators, and
  • all external employees or suppliers

with remote access.

What alternatives are there if 2FA or MFA is not possible for all accounts and users?

  • You can define a source IP address for known and trusted partners via which they can access the company network. 2FA or MFA must still be activated for all other IP addresses, however. 
  • Everyone who can access the company network must define secure passwords and change them quarterly. If a password is entered incorrectly several times, the account should be blocked. 
  • Install remote maintenance software such as TeamViewer for service suppliers who only need occasional access to the company network.
  • If you want to permanently connect branch offices, for example, a site-to-site VPN connection could be useful. Ask your IT service supplier. 

What should be considered when implementing the MFA or 2FA solution?

  • Carry out regular updates and patches to ensure the security of your solution
  • Use the latest cryptographic procedures and configure your systems as recommended by the manufacturer. 
  • Deactivate legacy authentication and fallback mechanisms. These older authentication methods often offer only weak encryption or no second factor at all and are therefore more susceptible to attacks.
  • Activate logging for all logins and set up an alarm for failed attempts and suspicious activities. 
  • Pay attention to the scalability and availability requirements of the 2FA/MFA solution during implementation.

Usfeul links

More articles

Man looking something in a tablet

Plan B: Business continuity plan for SMEs

When IT stands still, most companies stand still. This is why SMEs – which are increasingly falling victim to cyber attacks – need a continuity plan as a plan B.
Learn more
How SMEs protect against hacker attacks

A hacker attack threatens a company's existence

Every week, the National Cyber Security Center (BACS) receives hundreds of reports of cyber incidents: at peak times over 2,000 per week. SMEs are at particular risk. What dangers lurk for small and medium-sized enterprises?
Learn more
Two employees in the server room

IT contingency plan: How SMEs protect themselves

Nowadays, no company can afford a prolonged IT system failure. In the best case, the failure "only" costs money; in the worst case, it costs the company its existence. Every company therefore needs an IT contingency plan.
Learn more
Men having a cheerful discussion

The story of our cyber insurance customer Planted

The start-up Planted is causing a stir with its innovative plant-based foods.
Learn more
Young man

Kaisin: New entrepreneurs with a recipe for success

Success with delicious poké bowls – co-founder Delano Fischer chats about his innovative Zurich start-up.
Learn more